FIN10 is a financially motivated threat group that has targeted organizations in North America since at least 2013 through 2016. The group uses stolen data exfiltrated from victims to extort organizations. [1]

ID: G0051
Aliases: FIN10
Version: 1.0

Alias Descriptions


Techniques Used

EnterpriseT1107File DeletionFIN10 has used batch scripts and scheduled tasks to delete critical system files.[1]
EnterpriseT1086PowerShellFIN10 uses PowerShell for execution as well as PowerShell Empire to establish persistence.[1][2]
EnterpriseT1060Registry Run Keys / Startup FolderFIN10 has established persistence by using the Registry option in PowerShell Empire to add a Run key.[1][2]
EnterpriseT1076Remote Desktop ProtocolFIN10 has used RDP to move laterally to systems in the victim environment.[1]
EnterpriseT1105Remote File CopyFIN10 has deployed Meterpreter stagers and SplinterRAT instances in the victim network after moving laterally.[1]
EnterpriseT1053Scheduled TaskFIN10 has established persistence by using S4U tasks as well as the Scheduled Task option in PowerShell Empire.[1][2]
EnterpriseT1064ScriptingFIN10 has executed malicious .bat files containing PowerShell commands.[1]
EnterpriseT1033System Owner/User DiscoveryFIN10 has used Meterpreter to enumerate users on remote systems.[1]
EnterpriseT1078Valid AccountsFIN10 has used stolen credentials to connect remotely to victim networks using VPNs protected with only a single factor. The group has also moved laterally using the Local Administrator account.[1]